Welcome, Guest
Please Login or Register.    Lost Password?

Blocking untunneled connections with SSH
(1 viewing) (1) Guest
Go to bottomPage: 12
TOPIC: Blocking untunneled connections with SSH
#392
Blocking untunneled connections with SSH 13 Years, 3 Months ago Karma: 0
I have successfully applied the procedure for tunneling Goglobal (port 491) through SSH port 22, see tech note at webdev.graphon.com/support/techsupport/g...s/ssh_technote.html, yet I am unable to enforce it. If users do not enable the tunneling, thay can just connect to the server via port 491 without encryption. Is there any way of blocking port 491 at the server level so that untunneled connections will be forbidden? Otherwise, one can set the regular port to 0 and only enable port 791 for SSL, but this is not our objective. We want to use SSH.
hydrocct
Fresh Boarder
Posts: 5
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#400
Re: Blocking untunneled connections with SSH 13 Years, 3 Months ago Karma: 0
One solution would be to use TCP wrappers to intercept any connection on port 491, but I have not succeeded in using the gold daemon with inetd. The goglobalux script fails to start the gold daemon, if gold is integrated into inetd. If gold is not compatible with inetd, then tcpd (the wrapper daemon that controls access to inetd-controlled daemons) cannot be used.

Without this access control, an un-encrypted access to gold cannot be blocked. Even if I enable tunnelling of 491 through ssh port 22, clients can always connect to port 491 directly.
hydrocct
Fresh Boarder
Posts: 5
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#412
Re: Blocking untunneled connections with SSH 13 Years, 2 Months ago Karma: 2
Unfortunately, you are correct -- gold cannot be run via inetd, and there is no built-in tcp wrapper support. If you want to block access to port 491 (except for certain hosts/ports/etc) the only way to do this at present is with an external access restriction (i.e. a firewall).

Troy
troy
Administrator
Posts: 231
graphgraph
User Offline Click here to see the profile of this user
Gender: Male Birthday: 01/14
The administrator has disabled public write access.
 
#1609
Re: Blocking untunneled connections with SSH 10 Years, 10 Months ago Karma: 0
I have the exact opposite happening - I can forward port 491 over ssh and connect, but I can't connect directly to port 491 without using ssh. Any idea?

In the gold-hostname-master.log file I see:
(master) [date] leader[3]: error running leader: Unexpected stream closure

I have disabled any firewalls in the OS.
rohling
Fresh Boarder
Posts: 5
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#1610
Re: Blocking untunneled connections with SSH 10 Years, 10 Months ago Karma: 0
The server is 2.2.3.862 running on Red Hat Enterprise Linux WS release 4 (Nahant) on an x64 server. The client is 2.2.3.862 220 on a Windows XP Service Pack 1 machine.
rohling
Fresh Boarder
Posts: 5
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#1611
Re: Blocking untunneled connections with SSH 10 Years, 10 Months ago Karma: 0
It also appears to allow secure socket connections, just not unencrypted TCP/IP connections.
rohling
Fresh Boarder
Posts: 5
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
Go to topPage: 12
Moderators: troy, Andyl